Phishing Scam Warning: The Law Pages (Updated)
BackgroundI noticed a rather unusual phishing scam in the RingoDingo trap (part of a security product in development) and decided to take a look into it.
It's constructed in a way which has an impact - it would probably make most people panic a little... it claims to be from a porn site called "passionateseniors.com"!
This is a "If you don't pay us we'll tell everyone" type scam, containing a bitcoin wallet address and demanding payment - incidentally it is not only illegal to blackmail someone like this in the UK, it's also illegal to participate in blackmail from the side of the target of said blackmail.
I've obscured details which may be useful to malicious actors but you can click-to-enlarge (not in the same way as some of the content on that website I hope) the screenshot below:
I don't even want to look at the alleged senders website tbh :) will assume based on domain name that the content matches the name. It's a good example of a bad scam - notice the misdirection about "my English is poor because I'm from Vietnam" too.
DetailsIt again looks like a case where there's been some sort of compromise somehow relating to the thelawpages.com website. The recipient email address was used once when I registered an account with them in 2016 using an email address specific to that site and I'm not sure that I used the login more than once. I'd not heard from the company since their acknowledgement of my request.
There appears to be a questionable DKIM signature in the received email (I couldn't directly verify it but there are other reasons that it may still be valid).
The domain appears to be registered to The Law Agency / The Law Pages, and there's only a scant reference to an organisation registered in the UK; however the address doesn't match the registrant details and I'm short on time at the moment to investigate further.
As you can see their website is down, showing only an Apache test page with a self-issued TLS certificate:
So overall this looks like thelawpages.com's subscriber database has been compromised, plus potentially the senders email servers have also been compromised - or that they are part of the scam themselves.
Think about it - if you were simply browsing a website, how would they have your email address and be able to record you picking your nose (or anything else as suggested here!).
Please don't fall for this kind of thing. I'll get in touch with the contact for the sender domain and will update if there's anything relevant here.
UpdatedThere was no response from the owners of the domain and I can now see their website is operational again. The information on the site ties into the company registered in the UK and it's clear that one of two scenarios has occurred:
- Their systems were compromised and used to send out a mass phishing mail using the Law Pages data (including my own)
- Someone acquired the Law Page data (including my own) due to a security flaw and exploited it in order to send the email I was sent
In either case the Law Pages aren't saying anything about the breach and loss of personal data, which must have occurred some time between September 2016 and April 2018. LP's IT Director, David Ferguson, is surely aware that there was a problem given that their website was down for at least six days entirely.
Strange behaviour considering they're registered data controllers, and therefore are aware of their legal responsibilities for personal data.